Apache access.log interpretation
Posted
by
Pantelis Sopasakis
on Server Fault
See other posts from Server Fault
or by Pantelis Sopasakis
Published on 2011-03-18T12:18:29Z
Indexed on
2011/03/18
16:12 UTC
Read the original article
Hit count: 340
In the log file of apache (access.log) I find log entries like the following:
10.20.30.40 - - [18/Mar/2011:02:12:44 +0200]
"GET /index.php HTTP/1.1" 404 505 "-" "Opera/9.80 (Windows NT 6.1; U; en)
Presto/2.7.62 Version/11.01"
Whose meaning is clear: The client with IP 10.20.30.40 applied a GET HTTP method on /index.php (that is to say http://mysite.org/index.php) receiving a status code 404 using Opera as client/browser. What I don't understand is entries like the following:
174.34.231.19 - - [18/Mar/2011:02:24:56 +0200]
"GET http://www.siasatema.com HTTP/1.1" 200 469 "-"
"Python-urllib/2.4"
So here what I see is that someone (client with IP 174.34.231.19) accessed http://www.siasatema.com and got a 200 HTTP status code(?). It doesn't make sense to me... the only interpretation I can think of is that my apache server acts like proxy! Here are some other requests that don't have my site as destination...
187.35.50.61 - - [18/Mar/2011:01:28:20 +0200] "POST http://72.26.198.222:80/log/normal/ HTTP/1.0" 404 491 "-" "Octoshape-sua/1010120"
87.117.203.177 - - [18/Mar/2011:01:29:59 +0200] "CONNECT 64.12.244.203:80 HTTP/1.0" 405 556 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:29:59 +0200] "open 64.12.244.203 80" 400 506 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:30:04 +0200] "telnet 64.12.244.203 80" 400 506 "-" "-"
87.117.203.177 - - [18/Mar/2011:01:30:09 +0200] "64.12.244.203 80" 400 301 "-" "-"
I believe that all these are related to some kind of attack or abuse of the server. Could someone explain to may what is going on and how to cope with this situation?
Update 1:
I disabled mod_proxy
to make sure that I don't have an open proxy:
# a2dismod proxy
Where from I got the message:
Module proxy already disabled
I made sure that there is no file proxy.conf
under $APACHE/mods-enabled
. Finally, I set on my browser (Mozzila) my IP as a proxy and tried to access http://google.com
. I was not redirected to google.com but instead my web page appeared. The same happened with trying to access http://a.b (!). So my server does not really work as a proxy since it does not forward the requests... But I think it would be better if somehow I could configure it to return a status code 403.
Here is my apache configuration file:
<VirtualHost *:80>
ServerName mysite.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Update 2:
Using a block, I restrict the use of other methods than GET and POST...
<Limit POST PUT CONNECT HEAD OPTIONS DELETE
PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order deny,allow
Deny from all
</Limit>
<LimitExcept GET>
Order deny,allow
Deny from all
</LimitExcept>
Now methods other that GET are forbidden (403). My only question now is whether there is some trick to boot those how try to use my server as a proxy out...
© Server Fault or respective owner